September 24, 2021

Volume XI, Number 267

Advertisement

September 24, 2021

Subscribe to Latest Legal News and Analysis

September 23, 2021

Subscribe to Latest Legal News and Analysis

September 22, 2021

Subscribe to Latest Legal News and Analysis

September 21, 2021

Subscribe to Latest Legal News and Analysis

Massachusetts Enforces Data Security Regulations Against Out-of-State Entity

On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient health records.  The regulations and laws at issue were Mass. G.L. c. 93A, Mass. G.L. c. 93H and its implementing regulations codified at 201 C.M.R. 17.00 et. seq., as well as federal regulations under the Health Insurance Portability and Accountability Act (“HIPAA”).

Massachusetts’ data security regulations 201 C.M.R. 17.00 et. seq. are among the most comprehensive in the country.  When the regulations first went into effect in March of 2010, many wondered whether the Massachusetts Attorney General would pursue actions against out-of-state enterprises given the regulations’ unique reach to all “persons” or entities inside or outside of Massachusetts that own or license the personal information of Massachusetts residents.  Since 2010, however, the Massachusetts Attorney General has predominately focused efforts on data breaches of Massachusetts-based businesses—launching enforcement proceedings against Massachusetts hospitals, a major Boston restaurant group, and a medical billing practice and associated medical providers.  

In 2011, WIH misplaced nineteen backup tapes from two prenatal centers—one in Providence, Rhode Island and one in New Bedford, Massachusetts.  The tapes contained personal information and protected health care information, including patients’ names, dates of birth, Social Security numbers, dates of medical examinations, physicians’ names and ultrasound images, for 12,127 Massachusetts residents and approximately 1,200 Rhode Island residents.  The Massachusetts Attorney General’s Office cited to “deficient employee training and internal policies” which prevented the breach from being discovered and reported in a timely manner.  The Hospital did not discover that the tapes were missing until the spring of 2012 and failed to report the breach to consumers and the Massachusetts Attorney General’s Office until the fall of 2012. 

The consent agreement requires the Hospital to pay $150,000 to the Commonwealth of Massachusetts and to take steps to ensure compliance with state and federal security laws, including hiring an outside firm to perform audits and maintaining an up-to-date inventory of all locations, custodians, and descriptions of unencrypted electronic media and patient charts containing personal information.  Unlike Massachusetts, however, the Rhode Island Attorney General did not bring a civil suit against WIH, stating that under the Rhode Island identity theft protection law, the Attorney General was satisfied by the actions taken by the hospital to notify Rhode Island residents potentially impacted by the data breach and to offer them one year of credit monitoring.  This may be a sign of Massachusetts’ more aggressive approach to privacy and data security enforcement. 

The case is significant because it represents one of the first Massachusetts enforcement actions against an out-of-state entity under both Massachusetts regulation 201 C.M.R. 17.00 and the new provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  The HITECH Act provides state attorneys general with the authority to enforce out-of-state violations of HIPAA, including disclosure of Protected Health Information (“PHI”), on behalf of state residents.  Thus, this case also represents the continued efforts of state attorneys general to use their relatively new enforcement power to enforce HIPPA under HITECH.

If this consent judgment is representative of future privacy enforcement proceedings launched by the Massachusetts Attorney General, then businesses outside the Commonwealth that hold relevant privacy information may be well-advised to broadly re-examine their data security procedures, including preventative measures, to avoid running afoul of Massachusetts’ strict data security regulations.  Furthermore, any business entity that handles PHI under the protection of HIPPA and the HITECH Act may want to undergo a similar internal data security review given the increasing frequency of enforcement proceedings by attorneys general nationwide.

© 2021 Proskauer Rose LLP. National Law Review, Volume IV, Number 226
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

As innovations in technology make it easier to track, collect and process personal information about individuals, companies of all kinds are challenged to manage the way that they use data to both comply with U.S. and non-U.S. laws and to protect such data from unauthorized access. In addition to maintaining compliance in a continuously evolving legal landscape, companies must also contend with industry standards promulgated by a wide array of diverse and sometimes overlapping industry groups. Yet, on a daily basis we hear reports of companies having suffered data...

212.969.3265
Advertisement
Advertisement
Advertisement